{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40246", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T17:31:45.786Z", "datePublished": "2026-04-16T21:40:03.598Z", "dateUpdated": "2026-04-16T21:40:03.598Z"}, "containers": {"cna": {"title": "free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-g9cw-qwhf-24jp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-g9cw-qwhf-24jp"}], "affected": [{"vendor": "free5gc", "product": "free5gc", "versions": [{"version": "<= 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T21:40:03.598Z"}, "descriptions": [{"lang": "en", "value": "free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is deleted regardless. An unauthenticated attacker with access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions by supplying any value for the influenceId path segment, while the API misleadingly returns a 404 Not Found response. A patched version was not available at the time of publication."}], "source": {"advisory": "GHSA-g9cw-qwhf-24jp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "free5GC is an open-source implementation of the 5G core network. In versions 1.4.2 and below of the UDR service, the handler for deleting Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when validation fails. Execution continues and the subscription is deleted regardless. An unauthenticated attacker with access to the 5G Service Based Interface can delete arbitrary Traffic Influence Subscriptions by supplying any value for the influenceId path segment, while the API misleadingly returns a 404 Not Found response. A patched version was not available at the time of publication."}], "id": "CVE-2026-40246", "lastModified": "2026-04-16T22:16:38.370", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T22:16:38.370", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-g9cw-qwhf-24jp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "free5gc", "source": "cna", "vendor": "free5gc"}, "product": "free5gc", "vendor": "free5gc"}], "analysis": {"en": {"generated_at": "2026-04-17T02:25:04.287681+00:00", "value": {"mitigation_remediation": ["Limit access to the 5G Service Based Interface to authenticated and authorized users only", "Apply a vendor\u2011released patch for free5gc UDR when it becomes available", "Implement additional validation to ensure the influenceId equals the allowed value before processing a deletion request", "Monitor logs for unauthorized delete attempts and investigate anomalies promptly"], "summary": {"action": "Assess Impact", "impact": "Unauthorized deletion of Traffic Influence Subscriptions by unauthenticated users"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the free5gc UDR service in versions 1.4.2 and earlier. Only the free5gc:free5gc product is impacted; other free5gc components are unaffected.", "description_and_impact": "In the UDR service of free5GC, the delete handler for Traffic Influence Subscriptions verifies that the influenceId in the URL is \"subs-to-notify\" but fails to abort execution after returning a 404 response when validation fails. As a result, regardless of the supplied influenceId value, the handler continues and removes the subscription from the system. The flaw permits an attacker without authentication to delete any Traffic Influence Subscriptions simply by issuing a delete request to the 5G Service Based Interface. The API misleads the caller with a 404 response while the subscription is actually removed, masking the action.", "risk_and_exploitability": "The CVSS score of 8.7 marks this as high severity, and its EPSS score is not available; the issue has not been catalogued in KEV. An unauthenticated attacker can exploit the flaw by sending a delete request over the 5G Service Based Interface. Because no authentication or authorization check is performed, the attacker can target any Traffic Influence Subscription, potentially disrupting service notifications or traffic management policies."}}}}, "created": "2026-04-16T23:30:04.077346+00:00", "updated": "2026-04-17T02:30:07.314165+00:00", "vendors": ["free5gc", "free5gc$PRODUCT$free5gc"]}